If you’re looking to hire a cyber risk analyst – or if you are a risk analyst looking to up your game – I recommend reading Jack Jones’ new eBook An Executive’s Guide to Cyber Risk Economics where you’ll find the definitive checklist of skills required to do reliable risk analysis.
As Jack writes “unfortunately, most of the risk measurement taking place in organizations today is not being performed by people who apply any rigor. The ‘wet finger in the air’ predominates.”
Here’s Jack’s list of 5 Top Job Requirements for an effective risk analyst, cyber or otherwise (and note that these are all about thinking skills, not knowledge of databases, applications or other cyber stuff).
1. Strong critical thinking skills
As an industry, we sometimes think this means someone who has more education. But I’ve known people without advanced degrees who can solve almost any problem thrown their way just by breaking it down and thinking about it critically.
You should be able to give a risk analyst a case study or a calibration exercise where the purpose isn’t necessarily to get to the right answer but to see how he or she approaches a problem. When I interviewed for a Risk Analyst job at RiskLens, they asked me to estimate off the top of my head how tall in meters is the Sears Tower in Chicago! See the cheat sheet to the left for 7 tips on calibrating measurements, taken from the FAIR (Factor Analysis of Information Risk) Model on One Page.
2. An understanding of basic probability principles
This does not mean being an expert in statistics. If you can discriminate between what is possible and what is probable, that is generally a great starting point. Give an analyst a case study, and he or she should be able to determine what are the assets at risk, who/what are the threats and what are a range of likely outcomes. For an analyst trained in the FAIR methodology, that would be easy.
3. Training in calibrated estimation
Ability to make estimations in a risk analysis is a huge benefit – it allows you to be accurate with a useful amount of precision. Some people are naturals at estimation, some not so much, but it is a skill you can learn. A smart risk analyst should know about these training resources:
- LessWrong.com, loaded with materials on critical thinking, including a list of websites offering training and tests on calibration skills.
- Douglas Hubbard’s book How to Measure Anything: Finding the Value of Intangibles in Business has introduced many analysts to calibration. In addition to the tests in the book, Hubbard offers more tests on HowToMeasureAnything.com.
- Jack Jones’ book Measuring and Managing Information Risk: A FAIR Approach, our bible for quantifying risk. See Chapter 5, especially.
4. Being comfortable with numbers
As Jack Jones mentions, no PhD required – the important thing is to know where your numbers come from and how to explain them. That comes down to two things:
- A good “rationale”, in the terms of the FAIR model, “documenting the scope of the analysis, as well as the reasoning and basis for each value used in the analysis,” as Jack writes in Measuring and Managing Information Risk.
- Using numbers in terms of ranges instead of a static value. As my colleague, Cody Whelan writes “a good risk analyst realizes that we’re not looking for precise answers to the inputs to our questions, because more often than not they don’t exist” (from Life’s Uncertainties and the Risk Analyst).
5. Familiarity with decision support technologies (for example, Monte Carlo functions)
Jack says ‘familiarity’ not ‘expertise’. For FAIR-trained risk analysts, that means understanding the output from a Monte Carlo engine that uses an algorithm to take random samples from data and run thousands of simulations to produce a range of figures that show potential losses in dollar terms.
And one bonus skill…
Resourcefulness. Effective risk analysts are not afraid to ask questions, even tough questions. They can admit that they don’t know an answer and they can keep looking till they find someone who does.
Bottom Line: If you're looking for one credential that's a sure sign that a risk analyst possesses all these skills, that would be certification in the FAIR methodology. Check out the FAIR training resources here.